Re: Linux Firewall Suggestion
From: Mike (honey_at_michaelmoyse.co.uk)
Date: Wed, 04 May 2005 13:00:35 +0100
Jack Masters wrote:
> Mike wrote:
>> KP wrote:
>>> I work for a company that has no firewall. We are 20 person company
>>> whose connection to the Internet is via Cisco 1610 router - T1.
>>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
>>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
>>> It does a one to map mapping.
>>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
>>> 100.100.100.100 to private 192.168.1.10);
>>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443)
>>> - (public ip 100.100.100.101 to private 192.168.1.11);
>>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
>>> 100.100.100.102 to private 192.168.1.12);
>>> My GOALis to get a Linux firewall that is SIMPLE to use to place
>>> between the internal network and our Internet router. Also, it has
>>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
>>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
>>> locked down due to firewall features. Because multiple servers have
>>> port 80 and 443, I can't just do port forwarding. It must be
>>> intelligent enough to see the URL/URI to forward to the right box.
>>> Hope this made sense.
>>> What would you guys suggest in terms in the Linux distro with this
>>> capability, and how I should set it up?
>>> Thank you!
>> If you are not sure what you are doing, don't play with your company
>> network. This is not the place to start learning about Linux
>> firewalls. Invest your money in a hardware solution such as a
>> Watchguard Firebox. You will find it easier to implement as it has a
>> Windows front end and you will get all the benefits of a
>> Linux/Iptables box as that is what it uses. You will also get first
>> rate support (They can even configure the box remotely for you) and
>> I'm not affiliated to Watchguard in any way. I just use their boxes
>> and also build Linux firewalls using IPCOP and Smoothwall or just
>> plain old IPtables.
> Any firewall, even a badly configured one, would be better than leaving
> the network wide open. Playing with the firewall on a live network may
> open one up to (physical) abuse from users that see their lunchtime
> surfing/IM interrupted, but starting off with one of the many example
> scripts available would be difficult to create a FW that opens the
> network up further than it already is.
Would you learn to wire a house by doing it with the power on?
Would you learn to service a car by playing with your fathers brand new
Bottom line, you do not learn by playing with live systems. Only a fool
would do that.